![](https://seccdn.libravatar.org/avatar/f15c560a0ca9454d9c0122ea1a7a54e2.jpg?s=120&d=mm&r=g)
On 14/04/13 17:56, Linda Walsh wrote:
lynn wrote:
return only local users
I've never used 'sssd', and wondered if your problem had anything to do with settings in samba -- specifically those for winbind. I'm thinking that sssd doesn't use or care about winbind, but note -- winbind has params for enum users, enum groups, AND winbind **expand** groups. Expand groups controls the recursive expansion and defaults to '1' in samba. The enum controls also default to 'no'.
You mention you turned on enumeration. In winbind, that usually means samba is allowed to return the list of "all users" or the list of "all group"... but doesn't control *expanding* those groups.
I don't know if sssd has a similar parameter, but if you are using windows logins, are you sure you want sssd and not winbind?
Second note -- you have access_provider = simple => meaning simple access list that does NOT enumerate. You also seem to be configuring ldap. Assuming you are using ldap, don't you want access_provider = ldap?
Note -- I stress again --- I've never used sssd, so I really don't knowif either of the above are issues.
Also note: getent only returns the given database's key-value. I don't see anything to indicate it can do anything other than that. I.e. if it DID expand things, then it wouldn't be returning the database key's value, which would seem to violate the documented behavior.
Hi Linda We've turned to sssd to rid ourselves of the winbind nightmare on the Samba4 DC's. It just isn't ready. We've also tried nss-ldapd instead of winbind and it works perfectly, but needs the key to be cached and maintained to keep the client up, which is a pain. sssd looks ideal as you can get a client up in a matter of minutes as you can use any relevant key from the keytab which is produced when you join the domain. No, with AD, access is via Kerberos, not ldap so access_provide = krb5 is correct. Linda, I'm assuming you're using winbind. Is there any delay in getent returning any sort of output after a restart? I ask because we only have nss-ldapd to compare it with which returns getent output instantly. Thanks so much for your input and interest. Lynn x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org